Breaking News
More () »

VERIFY: Beware fake CDC, WHO phishing emails amid coronavirus, attorneys general say

The World Health Organization and Centers for Disease Control and Prevention will not send you emails prompting you to enter personal information.


Will public health agencies like the Centers for Disease Control and World Health Organization ever send you unsolicited emails asking for personal information?


No. The Federal Trade Commission, World Health Organization, Maryland Attorney General Brian Frosh and Virginia Attorney Mark Herring are warning the public about phishing attempts by people pretending to be the CDC and WHO.


World Health Organization: "Beware of criminals pretending to be WHO"

Federal Trade Organization: "Coronavirus: Scammers follow the headlines

Attorney General Mark Herring: "Attorney General Herring urges Virginians to Be Way of Coronavirus Related Scams"

Attorney General Brian Frosh: "Attorney General Fosh Warns Marylanders About Coronavirus Disease 2019 Scams"

David Emm: Principal Security Researcher at Kaspersky

Sherrod Degrippo: Senior Director of Threat Research and Detection at Proof Point

Matt Lourens: Security Engineering Manager at Check Point


Lots of people on social media are tweeting out screenshots of emails supposedly coming from public health agencies like the Centers for Disease Control and Prevention or the World Health Organization.

One person even tweeted out a screenshot of a fake CDC Paypal account.

So we're verifying, will these public health agencies really email you asking for your personal information?

Our Verify experts reached out to the World Health Organization, Federal Trade Commission, Maryland Attorney General Brian Frosh, Virginia General Attorney Mark Herring and cybersecurity agencies.

"Beware of criminals pretending to be WHO," the agency writes on its site. 

Credit: Kaspersky
Online scammers across the globe are leveraging the coronavrius outbreak and spoofing real health organizations to steal personal information.

WHO said it will never ask you to login to view safety information, never email attachments you didn't ask for, or ask you to donate directly to emergency response plans or funding appeals. 

They're not the only health organization falling victim to a cyber attack. Both Herring and Frosh issued warnings to look out for anyone claiming to be from the CDC or "experts saying that they have information about the coronavirus."

"Scammers are taking advantage of people’s fear of getting sick from COVID-19. Consumers can avoid being cheated by understanding how these thieves are trying to steal their personal information and money," Frosh said.

The FTC said the emails may promote awareness and prevention tips, and fake information about cases in your neighborhood. They also said these phishing emails may ask you to donate to victims, offer advice on unproven treatments, or contain malicious email attachments. 

Cybersecurity firms across the globe are on high alert tracking coronavirus-related phishing attempts and warning clients to be wary of unsolicited messages.

Credit: WUSA
Sherrod Degrippo, senior director of threat research and detection at Proof Point says hackers are after credential information and installing malware on your computer. "They could potentially steal money out of your bank account, they could connect to other services, they could turn on or off billing or they could make purchases in your name fraudulently," Degrippo said.

"We're seeing multiple campaigns a day now of this," Sherrod Degrippo, senior director of threat research and detection at Proof Point, said. "Sometimes two and three a day that are leveraging the coronavirus concerns to sort of scare people into clicking on something, opening it and installing malicious software onto their computers."

Credit: WUSA
David Emm at Kaspersky says you should always check that the domain name in the email address corresponds to the legitimate organization.

David Emm, principal security researcher at Kaspersky explained that hackers are evolving, and the onus is on the public to become smarter and better equipped.

"Look to see what the domain name is that the email has come from, does it really match the legitimate one?" Emm said. "It's always better if you intend to go to a website to go to the website by typing it in yourself..rather than just guessing."

Since January 2020, there's been 4,000 coronavirus-related domains registered globally, according to security software company Check Point. 

Matt Lourens, a security engineering manager at Check Point, explained that about three percent of domains were found to be "malicious," meaning operating with the intent to steal money or data, and five percent were found to be "suspicious," which showed no clear purpose for existing.

"It's a massive amount, Lorens said. "We've already identified an excess of 400-500 that are absolutely malicious sites with the intent of creating chaos." 

So we can Verify, no, the CDC and WHO are not emailing you, asking for personal information. Be wary of any info you get from an unsolicited email.

RELATED: VERIFY: Does the Coronavirus test really cost $3,000?

RELATED: VERIFY: Lysol can help stop spread of new coronavirus strain

RELATED: VERIFY: Watch out for coronavirus scams

Download the brand new WUSA9 app here.

Sign up for the Get Up DC newsletter: Your forecast. Your commute. Your news.

Before You Leave, Check This Out